OWASP Case Study
Overview
This OWASP work shows cross-functional depth, problem solving, initiative, and strong execution on mature public web infrastructure. Across shared-theme and project surfaces, Rito identified user-facing friction, clarified browse and discovery workflows, and shipped the front-end and publishing systems needed to support them. VWAD is the clearest thread: the work starts with legacy rescue and Advanced Search, then expands into foundational UX, browse architecture, publishing infrastructure, and faster pre-rendered surfaces on the rebuilt vwad.owasp.org platform.
The overall pattern is sustained product thinking, UX leadership, and full-stack execution inside a live OWASP ecosystem.
Quick Highlights
- VWAD Platform Foundations
Helped establish the product foundations of the rebuilt VWAD platform through sustained UX, front-end, and publishing architecture work as it transitioned into a production-tier OWASP project.
- Legacy VWAD: UX Rescue and Product Expansion
Rescued the legacy directory’s table UX on mobile, then expanded the product with Advanced Search functionality for richer discovery workflows.
- OWASP Site Theme Mobile Rescue
Rescued site-wide mobile breakage in the shared OWASP site theme used across the broader multi-repo web ecosystem.
- OWASP Top 10 RC Mobile
Rapidly identified and fixed site-wide mobile layout breakage on the live 2025 OWASP Top 10 release-candidate surface, stabilizing a high-visibility public-facing release.
Ecosystem Background Context
OWASP (Open Worldwide Application Security Project) is a nonprofit, community-led cornerstone of application security, founded in 2001 and now spanning hundreds of chapters worldwide. It is best known for the OWASP Top 10 security risks, along with widely used resources like the Vulnerable Web Applications Directory and training projects like OWASP Juice Shop.
Structurally, OWASP is also a many-repos ecosystem with shared web infrastructure. Projects and chapters commonly live in separate repositories that publish under owasp.org using a shared theme, so one strong contribution can either improve a single flagship surface or ripple across a much wider public footprint.
VWAD is the flagship depth example here. The older owasp.org directory established the foundation with a table rescue and Advanced Search, and the newer vwad.owasp.org work expanded that into sustained product, browse, front-end, publishing, and rendering improvements on a rebuilt platform.
VWAD Platform Foundations
Quick Highlight: Helped establish the product foundations of the rebuilt VWAD platform through sustained UX, front-end, and publishing architecture work as it transitioned into a production-tier OWASP project.
Productizing the Browse Experience
On the rebuilt VWAD platform, Rito helped establish the product foundations for how the directory would be browsed, searched, and experienced. The work shaped VWAD into a stronger discovery product, with clearer browse modes, richer filtering, stronger mobile behavior, and more intentional entry points into search.
The major anchor was PR #30, which split browsing into Basic and Advanced modes and added grouped multi-select filters, AND/OR matching, stars and year-range filtering, mode-specific state, and shared removable filter pills. Supporting UX work across the browse surface improved overflow handling, sticky controls, header scaling on narrow screens, wrapped-pill spacing, and other mobile/table behaviors that made the interface denser without becoming brittle.
Rito also formalized baseline installability with PR #36. That added manifest metadata, icons including a maskable variant, minimal service worker support, iOS standalone metadata, and shortcuts that drop users directly into basic or advanced search. The result was a browse surface that felt more like a purpose-built product and less like a raw directory shell.
Building the Publishing and Discovery Substrate
Rito also helped establish the publishing and discovery substrate behind the rebuilt platform. PR #37 moved VWAD from a JavaScript-dependent app-detail shell toward a build-backed publishing surface with dedicated static app pages at /app/<slug>/, machine-readable JSON-LD, sitemap generation, compatibility handling for older URLs, and GitHub Actions deployment of generated output.
That changed the nature of the platform itself. Each app became a directly addressable, crawlable document instead of content trapped behind a single client-rendered detail route, making VWAD behave more like an indexable publishing system for curated vulnerable applications.
The implementation approach matters too: the build pipeline stayed lightweight and stdlib-driven, paired generation with purpose-built validation, and expanded VWAD's surface area without turning the project into a dependency-heavy stack.
Hardening the Launch Surface
To support that growth, Rito also hardened the launch surface itself. PR #31refactored a monolithic stylesheet into smaller shared and page-specific stylesheets, removed dead code, fixed cascade conflicts, and normalized shared chrome across pages.
That lowered the cost of continued feature work and gave the rebuilt platform a cleaner front-end foundation. PR #41 then pushed key VWAD surfaces further away from pure client-side rendering by pre-rendering the featured-app shell with loading placeholders before data arrives.
The user-facing result was a faster and more stable initial experience, with less layout instability and a homepage that felt materially more solid during load. Maintainer feedback on the PR explicitly called out a major PageSpeed difference after the change.
Conclusion
This work helped define how the rebuilt VWAD platform would function as a user-facing product: how people browse it, how its content is published and discovered, and how the launch surface performs and scales.
Legacy VWAD: UX Rescue and Product Expansion
Quick Highlight: Rescued the legacy directory’s table UX on mobile, then expanded the product with Advanced Search functionality for richer discovery workflows.
Table Rescue and Mobile Responsiveness
The older VWAD site on owasp.org established the continuity of this work. The flagship table had become effectively unreadable on mobile: columns collapsed into near-vertical text, badges and icons shrank to microscopic sizes, and the page itself could overflow horizontally.
Rito opened an issue and shipped PR #171, which stabilized column sizing, introduced contained horizontal and vertical scrolling, and made headers sticky so users could actually navigate the directory across breakpoints.
Advanced Search and Normalization
That legacy phase then expanded into feature work. Advanced Search turned the table into a real query interface, while follow-up work in PR #214 and PR #217 kept the filtering surface coherent through deduping and canonical tech-label normalization.
That matters because the old VWAD run was not just a rescue. It already showed product thinking: multi-parameter search, shared pill-based state, and normalization layers that reduced contributor friction while keeping the end-user query experience clean.
Here is the opened advanced search modal with multiple configurable parameters
Here the modal is filled out with search parameters and the pill buttons begin to populate. Pressing "accept" is needed to apply the query to the table.
Here there is an "Advanced Search" button used to open the modal, and the current search params are applied as seen in the pill buttons and the text describing the total search results currently present
Conclusion
In a legacy project nearing the end of its lifecycle, this work showed strong judgment and targeted execution: identify the highest-friction user problems, solve them directly, and leave the product materially more usable through a rescued mobile table UX and Advanced Search.
OWASP Site Theme Mobile Rescue
Quick Highlight: Rescued site-wide mobile breakage in the shared OWASP site theme used across the broader multi-repo web ecosystem.
The shared Jekyll site theme used across the owasp.org ecosystem had systemic issues in key elements that caused sitewide breakage. The cookie bar was not fully visible and could not be dismissed because the close icon was off-screen. On mobile load, large sections of the page were hidden by overflow, forcing awkward panning and hurting navigation and accessibility.
Rito diagnosed the root causes and applied a cohesive set of fixes across mobile and tablet breakpoints while preserving the original design intent. He opened an issue and shipped a pull request, and maintainers merged the changes after review.
Impact was immediate and broad: the shared theme stopped breaking layouts across the OWASP ecosystem, and the homepage experience became reliable on mobile and tablet.
Conclusion
On a shared theme powering many OWASP surfaces, including the flagship main site, this work demonstrated strong systems diagnosis, judgment, initiative, and targeted execution. It required isolating complex UI behavior, communicating the root problems clearly, and shipping the right fixes with broad downstream impact.
OWASP Top 10 RC Mobile
Quick Highlight: Rapidly identified and fixed site-wide mobile layout breakage on the live 2025 OWASP Top 10 release-candidate surface, stabilizing a high-visibility public-facing release.
The 2025 OWASP Top 10 was in pre-release as a Release Candidate on the live, publicly viewable production site, with a watermark on every page to signal draft status. On mobile, that watermark was not configured correctly and ended up breaking layout, hiding the navigation menu and impacting normal scroll behavior while also adding whitespace more than twice the size of the page content itself.
Rito opened an issue and shipped a pull request that corrected the watermark layout and restored normal layout and scroll behavior across breakpoints. He also alerted maintainers in the OWASP Slack with the issue and fix, and it was promptly merged while the release candidate phase was still active.
Conclusion
This work showed strong judgment and rapid execution on a live release surface: identify the issue quickly, communicate it cleanly, resolve it directly, and keep the core release process moving without added friction.
